Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function login($username, $password, $mysqli) {
- echo $username;
- echo '<br>';
- echo $password;
- // Using prepared statements means that SQL injection is not possible.
- if ($stmt = $mysqli->prepare("SELECT user_id, password, privilages
- FROM users
- WHERE username = '$username'")) {
- //$stmt->bind_param('s', $username); // Bind "$email" to parameter.
- $stmt->execute(); // Execute the prepared query.
- $stmt->store_result();
- // get variables from result.
- $stmt->bind_result($user_id, $db_password, $privilages);
- $stmt->fetch();
- if ($stmt->num_rows == 1) {
- // Check if the password in the database matches
- // the password the user submitted.
- if ($db_password == $password) {
- // Password is correct!
- // Get the user-agent string of the user.
- $user_browser = $_SERVER['HTTP_USER_AGENT'];
- // XSS protection as we might print this value
- $user_id = preg_replace("/[^0-9]+/", "", $user_id);
- $_SESSION['user_id'] = $user_id;
- // XSS protection as we might print this value
- $username = preg_replace("/[^a-zA-Z0-9_\-]+/",
- "",
- $username);
- $_SESSION['username'] = $username;
- $_SESSION['privilages'] = $privilages;
- $_SESSION['login_string'] = hash('sha512',
- $password . $user_browser);
- // Login successful.
- return true;
- } else {
- // Password is not correct
- // We record this attempt in the database
- $now = time();
- return false;
- }
- } else {
- // No user exists.
- return false;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
